Failed to index [1] messages. failed to parse field [DateTime] of type [date] in document

Graylog Central (peer support)
6

I eventually got it all working. Turns out you should put $. instead of .$.
I also got the convertion from epoch to Date up and running by adjusting the function that @gsmith wrote.
Since my epoch values come like that: 0000000000.000 I had to remove the .000 since it wouldn’t convert to long. Oh and for now I added 7200 seconds to the value since the server’s timezone is UTC +00:00:00 and my timezone is UTC +02:00:00. I will change the server’s timezone at a later date.
My full rule:

rule "parse the json log entries"
when has_field("json")
then

  let json_tree = parse_json(to_string($message.json));
  
  let json_fields = select_jsonpath(json_tree, { time: "$.timestamp", remote_addr: "$.remote_addr", body_bytes_sent: "$.body_bytes_sent", request_time: "$.request_time", response_status: "$.response_status", request: "$.request", request_method: "$.request_method", host: "$.host", upstream_cache_status: "$.upstream_cache_status", upstream_addr: "$.upstream_addr" , http_x_forwarded_for: "$.http_x_forwarded_for" , http_referrer: "$.http_referrer", http_user_agent: "$.http_user_agent", http_version: "$.http_version", nginx_access: "$.nginx_access"});

  let s_epoch = to_string(json_fields.time);
  let s = substring(s_epoch, 0, 10);
  let ts_millis = (to_long(s) + 7200) * 1000;
  let new_date = parse_unix_milliseconds(ts_millis);
  
  set_field("date", new_date);
  
  

  set_field("remote_addr", to_string(json_fields.remote_addr));
  set_field("body_bytes_sent", to_double(json_fields.body_bytes_sent));
  set_field("request_time", to_double(json_fields.request_time));
  set_field("response_status", to_double(json_fields.response_status));
  set_field("request", to_string(json_fields.request));
  set_field("request_method", to_string(json_fields.request_method));
  set_field("host", to_string(json_fields.host));
  set_field("upstream_cache_status", to_string(json_fields.upstream_cache_status));
  set_field("upstream_addr", to_string(json_fields.upstream_addr));
  set_field("http_x_forwarded_for", to_string(json_fields.http_x_forwarded_for));
  set_field("http_referrer", to_string(json_fields.http_referrer));
  set_field("http_user_agent", to_string(json_fields.http_user_agent));
  set_field("http_version", to_string(json_fields.http_version));
  set_field("nginx_access", to_bool(json_fields.nginx_access));
  
end

Big thanks to you guys for helping me out, I really appreciate it!!

2 Likes